Password strength is a big deal, especially now that there are several excellent password cracking applications. John the Ripper and THC Hydra are examples of two, to name just a few. Also, there is a fair chance that your information is already out there on the dark web due to breaches at innumerable companies. Hence the need for strong passwords that you can remember, but aren’t replicated across websites and applications. This post is to share a technique that I’ve been using for decades, that came from individuals who worked for a national intelligence agency.
Let us start with a few basic terms:
- Password – That is the key that you type in from memory (preferably) that provides a hash used to unlock the encryption.
- Passphrase – A set of words, preferably not associated with yourself, also from memory, that provides the hash used to unlock the encryption.
- Biometrics – That is a physical attribute of yourself such as a set of fingerprints or a retina scan that either provides a password hash or is associated with your password hash.
- Two Factor Authentication (2FA) – A secondary method in addition to your password to confirm identity. These can be any of (in increasing levels of security):
- a text message,
- a time coded application such as Google Authenticator or Authy,
- and a physical device such as a Yubikey. In some instances the physical device can be used in lieu of a password.
The technique by example
There is a great example of the technique on the website XKCD at https://xkcd.com/936/, linked as an image, below. The technique is to generate a set of words, three or four at minimum. These words must not associated with you or yours. They should be easy to remember but not easy to brute force. And they should only be used on one website or application.
Generating the Passphrase
Generating a passphrase that is secure but also not associated with you can be a challenge. We have to be careful that we don’t use something that we have inadvertently given clues to. Do you read your Bible? Nix using Bible phrases, as the Good Book has been fully scraped. Pretty much the same for any Wisdom Tradition in any written language. Also phrases from great works of literature, science, etc. If social media indicates you are a fan of Nietzsche, guess where the hunt for passwords/passphrases starts? So you want something random but easy to remember. That is where the individuals in national security agencies came in. They recommended Diceware!
Diceware is a simple concept. You get six dice, and a word list of thousands of words indexed on permutations of the dice. You want a word, you roll the dice, and that roll is the index to the first word. Repeat as necessary. Usually three words are sufficient, four words for important accounts, six words to assuage paranoia, etc. And you use character substitution ( 1 = i = !, a = @, s = $, capital letters, etc. ) to salt up the passphrase in a pattern you won’t forget.
This may seem complex to set up, but it has already been done. There are many online generators available, Google “diceware password generator” (use with caution) or you can download the two implementations on this site in spreadsheet format (LibreOffice ODS and Microsoft Excel XLSX formats, no macros). Diceware can be made to operate in all languages with a bit of work, either as an application or in a spreadsheet. BTW, the original creators of Diceware maintain a website which is https://theworld.com/~reinhold/diceware.html. This is the OG of Diceware, folks, around since 1995!